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related to regulating the oil and natural gas industry. The report presents audit findings 
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REPORT SUMMARY 


The Board of Oil and Gas Conservation must improve its inspections and 
enforcement processes to more effectively regulate the state’s 17,600 active oil and 


gas wells. 


Context 
The Board of Oil and Gas Conservation and its 


staff in the Oil and Gas Conservation Division 
regulate oil and natural gas development 
in Montana. Their work helps protect the 
petroleum resource, property owners, the 
environment, taxpayers, and oil and gas 
operators. The governor appoints the seven 
members of the board. The board and division 
is administratively attached to the Department 
of Natural Resources and Conservation. 


The board is the policy setting and rulemaking 
entity. Administrative functions are the 
responsibility of the division. Division staff 
issue permits; classify wells; issue and carry 
out board orders; conduct field inspections; 
require performance bonds for site restoration; 
and maintain a repository of administrative, 
technical and geologic information about these 
wells. 


Audit work reviewed the regulatory activities 
of the board and division. In addition, we 
examined the controls used to ensure integrity 
and accuracy of the Oil and Gas Information 
System, a database of well information. 


Results 
Under the supervision of the Board of Oil 


and Gas Conservation, division management 
should generally provide more formalized 


direction to division staff for inspection and 
enforcement activities. 


For the regulatory processes, the division’s 
permitting and abandonment processes appear 
sound, while improvements are necessary for 
the inspections and enforcement processes. 


Although faced with a large number of wells 
to inspect, audit work found the division 
lacks a formalized approach to their work. 


The division should create formal inspection 


priorities, develop documented inspection 
procedures, improve inspection documentation. 
and consistently document field deficiencies 
and violations. 


When inspectors identify a violation, the board 


and division collaborate with the operator to 
gain compliance. The division could improve 


its compliance rate, and lessen the number of 


unresolved violations, by applying existing 
compliance timelines and creating additional 
ones. 


The division could improve management of the 


Oil and Gas Information System in the areas 
of segregation of duties, security planning. 
password policies, and disaster recovery 
planning. 


(continued on back) 
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Source: Agency audit response included in 
final report. 





For a complete copy of the report (11P-04) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad@mt.gov; or check the web site at 


http://leg.mt.gov/audit 
Report Fraud, Waste, and Abuse to the Legislative Auditor’s FRAUD HOTLINE 


Call toll-free 1-800-222-4446, or e-mail lad@mt.gov. 





Chapter | — Introduction 


Introduction 


In 1953, the Legislature created the Board of Oil and Gas Conservation (board). 
The board is administratively attached to the Department of Natural Resources 
and Conservation. Statutory purpose of the board and its staff in the Oil and Gas 
Conservation Division (division) is to regulate oil and natural gas exploration, and 
development operations that occur in Montana. Regulation occurs by requiring drilling 
permits, classifying wells, disseminating board orders that establish well spacing and 
other drilling requirements, conducting field inspections, and requiring performance 
bonds to ensure site restoration. In addition to regulatory duties, the division also 
maintains a repository of administrative, technical and geologic information about 
these wells. The board and its staff oversee regulation of more than 43,000 wells, of 


which 17,600 are in various stages of production. 


Audit Scope 


We reviewed general management activities, business processes, and regulatory 
practices of the board and its staff, as well as controls used to ensure integrity and 
accuracy of the Oil and Gas Information System. ‘This system is a database used to 
aid in the board’s regulatory role and also functions as an electronic repository of 


production information. 


The audit examined the statutory role and responsibilities of the board, and the 
administrative operations of the division. Areas of operation examined included 
drilling permits, field inspections, enforcement activities, bond administration, well 
abandonment, and report filing. The division monitors both regular and underground 
injection wells. Ninety five percent of active wells are regular wells and five percent 
are underground injection wells. Since most division activities relate to regular wells, 
audit work focused in this area. Audit work relative to underground injection wells 
focused exclusively on permitting and well abandonment activities. The audit also 
assessed operations related to records and information management. We examined 


data primarily from January 2010 to March 2011. 


As part of its regulatory role, the board adopted administrative rules detailing technical 
and scientific standards. ‘This audit did not assess compliance with these technical and 


scientific standards. 


Division staff coordinates with a number of federal and state agencies including the 
Bureau of Land Management, Environmental Protection Agency, Department of 
Natural Resources and Conservation Mineral Management Bureau, Department of 
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Revenue, and Department of Environmental Quality. Department of Revenue uses 
oil and gas well production data maintained by the division during tax audits of oil 
and gas production companies. Division staff notifies Department of Environmental 
Quality if air quality permits might be necessary and alerts staff of petroleum spills. 
The audit reviewed coordination with other state agencies. 


Audit Objectives 


To complete this audit, we developed the following objectives: 


1. Determine if the Board of Oil and Gas Conservation has effective controls 
in place to enforce oil and gas conservation laws and administrative rules. 


2. Determine if controls are designed to promote integrity of data maintained 
on the Oil and Gas Information System. 


Audit Methodologies 


To meet audit objectives, the audit included these methodologies: 
¢ — Reviewed applicable statutes, administrative rules, policies and procedures. 


¢ — Interviewed board members, observed board meetings, and reviewed related 
documents. 


¢ Interviewed division management and staff at division offices in Billings, 
in Helena, and at field offices located in Shelby, Plentywood, Sidney, and 
Glendive. 


¢ Accompanied field staff on inspections of oil and gas drilling facilities. 


¢ Reviewed and analyzed division records including drilling permits, 
inspection records and notices of violation. 


¢ — Interviewed industry stakeholders including a representative of the Montana 
Petroleum Association and industry field staff. 


¢ Reviewed board information. 


¢ Contacted staff to discover practices used by the North Dakota Industrial 
Commission and Texas Railroad Commission. 


¢ Reviewed statutes, administrative rules and policies from other states, 


including Arizona, North Dakota, Texas, and Wyoming. 


¢ Interviewed staff from state agencies that coordinate activities with the 
board including Department of Revenue and Department of Environmental 


Quality. 
¢ Interviewed division staff responsible for management of electronic data, 


reviewed related documentation, and contrasted data management operations 
to industry best practices. 


* Reviewed statutor records management requirements. 
¥ 


¢ — Interviewed staff from the division and Secretary of State’s Office regarding 
records management practices, and reviewed related records including the 
records retention schedule and contracts for records scanning services. 


Management Memorandum 


A management memorandum is a written notification to an agency for issues that 
should be considered by management, but do not require a formal agency response. 
We issued a management memorandum to the board addressing human resource 
management controls including position descriptions, performance evaluations and 


staff meetings. Ihe memorandum also addresses public records management. 


Report Contents 


The remainder of this report includes a background chapter followed by chapters 


detailing our findings, conclusions, and recommendations in the following areas: 
¢ Chapter III — Inspection Processes. 
¢ Chapter IV — Enforcement Processes. 


¢ Chapter V — Data Management. 


Chapter Il - Background 


Introduction 
The Board of Oil and Gas Conservation (board) and the Oil and Gas Conservation 


Division (division) administer Montana's oil and gas conservation laws. These laws 
are designed to promote conservation, prevent waste, and require measures be taken 
to prevent contamination or damage in the recovery of these resources through 
regulation of exploration and production of oil and gas. This chapter presents 
background information about the statutory authority and composition of the board, 
division responsibilities, program funding, and a general overview of stages of well 


development and associated regulatory activities. 


Statutory Authority of Board 


The board is statutorily established in §2-15-3303, MCA, and is responsible for 
administering statutes found in Title 82, Chapter 11. Statutes stipulate board 
composition. It is a seven-member board consisting of three industry representatives 
with at least three years’ experience in the oil and gas industry; two landowners from 
oil- and gas-producing counties, one who owns both surface and mineral rights and 
one landowner who does not own the mineral rights. In addition, one member must 
be an attorney. The Governor appoints board members to four-year terms. The board 


holds six meetings annually, mostly in Billings. 


The board functions as the governing body over the regulation of the oil and natural 
gas exploration and development operations. The board is the policy setting and rule 
making entity. The statutory responsibilities and actions of the board are designed 
to help protect the oil and gas resource and the environment. Board actions also 
impact many stakeholders including property and mineral right owners, industry 
representatives, oil and gas operators, and taxpayers. The following figure details areas 


impacted by the board’s statutory mandate. 
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Figure 1 
Impacts of Board of Oil and Gas Conservation Mandates 


¢ No physical waste, such as spills (82-11-124, MCA, ARM 
36.22.1104) 


¢ No inefficient, excessive or improper use of petroleum 
The resource (82-11-101(16), MCA) 


«Locating, drilling, operating and production cannot cause 
unnecessary loss (82-11-101(16), MCA) 


¢No inefficient storing (82-11-101(16), MCA) 


¢ Surface must be restored to "previous grade" (82-11- 
123(4), MCA) 

«Board holds performance bond until well plugged and site 
restored (82-11-123, MCA) 

¢ Mineral rights owners' correlative rights protected (82-11- 
201, MCA) 





Property owners 





\ 


«Promote environmentally sound exploration and 
production methods (82-11-111, MCA) 

«Environmental assessments for drilling permit (ARM 
66.22.202) 

¢Production/disposal pits must be screened or netted 
(ARM 36.22.1223) 

¢ Limits on flaring of excess gas (ARM 36.22.1220) 

¢Wells construction standards to prevent pollution of 
freshwater supplies (82-11-123, MCA) 

«Regulation of injection wells, which store production 
wastewater underground (82-11-1111, MCA) 

¢ Construction standards meant to prevent blowouts, fires, 
other hazards 
(82-11-123, MCA; ARMs 36.22.1014, 36.22.1101, 
36.22.1102) 

«Protections from toxic H.S gas (ARM 36.22.1222) 
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«Department of Revenue uses production reports to confirm 
oil and gas production taxes (82-11-112, MCA) 

«Industry pays privilege tax, which funds board, division (82- 
11-131, MCA) 


Taxpayers 


¢ Spacing of wells (ARM 36.22.702) 
¢ Transporter reports required (ARM 36.22.1243) 
¢No illegal production (ARM 36.22.1245) 


¢ Proper gauging and measuring of produced oil and gas 
(82-11-123, MCA) 


Owners 
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Source: Compiled by the Legislative Audit Division from Montana Code Annotated and 
Administrative Rules of Montana. 


Division Responsibilities 

The board has statutory authority to hire its own personnel and is currently authorized 
21.5 FTE, of which 16 FTE are filled. The board employs staff with a mix of professional, 
technical, and administrative skills. Employees include a petroleum engineer, geologist, 
underground injection well program coordinator, chief field inspector, field inspectors, 
administrative assistants and board support staff. While overall management and 
policy direction for the division comes from the board, the board appoints a division 
administrator to manage daily activities of staff. 


Division headquarters are in Billings. There is a field office in Shelby and an 
administrative office in Helena. Field inspectors are located throughout the oil and 
gas producing areas of the state, working either out of the Shelby office or from home 
based offices. The following figure illustrates the locations of division staff. 


Figure 2 
Location of Oil and Gas Conservation Division Staff 


(ey Division Headquarters © Staff Location 


Source: Compiled by the Legislative Audit Division. 





The board sets policy and division staff implements it. The division is responsible for 
day-to-day functions. Division staff interacts with the industry on a daily basis and 
monitors industry compliance with laws and associated administrative rules. The 
division’s primary responsibilities include: 

1. Issue drilling permits 


2. Classify wells 
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Assist in establishing well spacing units and reservoir pooling orders 
Inspect drilling, production, and seismic operations 
Investigate complaints 


Perform engineering studies 
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Determine incremental production for enhanced recovery and horizontal 
wells to implement the tax incentive program for those projects 


8. Operate the underground injection control program 
9. Oversee plugging of orphan wells 


10. Collect and maintain complete well data and production information 


In addition, staff collects required industry reports, offers technical advice and 
facilitates board decisions. Division staff are responsible for monitoring regular and 
underground injection oil and gas wells. There are approximately 16,700 regular wells 
and 900 underground injection wells in the state. Most division activities relate to 
regular wells. In 2010, the staff processed 330 drilling permits and conducted 4,430 


inspections. 


Program Funding 


The primary funding source for board and division operations is the privilege and 
license tax paid by oil and gas operations. Statutes authorize the board to set privilege 
and license taxes up to 3/10 of 1 percent of the market value of crude petroleum and 
natural gas produced, marketed and stored in the state. The privilege and license tax is 
currently set at 30 percent of the maximum allowed by statute. In addition, the board 
is statutorily authorized to establish an annual fee on underground injection wells. 
Statutes provide for a maximum $300 annual operating fee for each underground 
injection well. The board set the fee at $200. Other funding sources include drilling 
permit fees and a federal EPA grant used to administer the underground injection 


control program. In fiscal year 2011, the board’s operating budget was $2.3 million. 


Regulatory Stages of Well Development 


The board is notified when a company begins the exploratory phase of well development. 
However, the board’s regulatory process essentially begins when a company applies for 
a drilling permit. Regulatory oversight does not end until the well is abandoned, which 
is done at the end of its useful life. Throughout the development, production, and 
abandonment phases, division staff are responsible for monitoring operator compliance 
with statute and administrative rules. In addition, staff offers technical expertise to 
producers and the public as needed. Figure 3 illustrates the stages in well development 
along with regulatory responsibilities of the board. 


Figure 3 
Stages of Well Exploration and Development 
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¢Company files «Board staff ¢ Board staff ¢Board staff ¢Board staff 
notice of intention processes and inspects wells, inspects wells, witnesses well 
to explore with issues permits, offers technical offers technical plugging, confirms 
county clerk; collects fee and assistance, assistance, collects site restoration, 
secures lease from performance identifies violations, | required reports, offers technical 
mineral rights bonds, develops seeks compliance responds to assistance, 
owners environmental ¢ Board may issue emergency events, _ identifies violations, 
¢Board staff assessments fines, sanctions identifies violations, seeks compliance 
receives notice of *Board determines -What's going on seeks compliance + Board may seize 
exploration spacing unit (well at the well? Crews °Board may issue company's 
-What's going on? _ location) drill well, cement fines, sanctions plugging bond 
Company experts »°What's going on well casing. Drilling * What's going on’ « What's going on 
identify drilling sites atthe well? rig departs. at the well? Well at the well? Crews 
Drilling rig arrives, produces oil and plug well with 
site prepwork gas. Crews cement. Site 
begins occassionally restored. 
service well or haul 
away oil and gas. 
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Source: Compiled by the Legislative Audit Division. 





Conclusion: Regulatory Activities Could Be Improved 


This audit measured aspects of the board’s performance at every step of the regulatory 
process. Audit work revealed that while the board administers permitting, report 
collection, and well abandonment stages adequately, controls for inspections and 
enforcement activities could be improved. The following figure illustrates operational 


areas that function well and areas that could be improved. 


Figure 4 
Board of Oil and Gas Conservation Requlatory Processes Could Be Improved 


Permitting >» Inspections © i ~ Report ‘\ rN ey=lalere)alaa-val! 
Y d Collection 


y 


Adequate 


Source: Compiled by the Legislative Audit Division. 





The remainder of the report discusses the results of our audit work and presents 


findings and recommendations for improvement. 
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Chapter III — Inspection Processes 


Introduction 


Our primary audit objective was to determine if the Board of Oil and Gas Conservation 
has effective controls in place to enforce oil and gas conservation laws and administrative 
rules. During the audit we discussed inspection processes and requirements with 
division management and staff, accompanied staff on field inspections, reviewed 
inspection related documents, and examined applicable statutes, administrative rules, 
and board policy. In addition, we compared Montana's inspection processes to those of 


other states’ oil and gas regulatory entities. 


Audit work revealed the inspections process could be strengthened through more active 
management and a formalized approach. Taking this approach would help ensure an 
effective inspection process and better use of division resources. This chapter discusses 


audit findings and recommendations related to the following areas: 
¢ Inspections fill integral role 
¢ Defining inspection priorities 
¢ Developing formal inspection policies and procedures 


¢ Improving inspection activity documentation 


Inspections Fill Integral Role 


Inspections are an integral part of the board’s regulatory process. Inspections are 
necessary to ensure oil and gas exploration and development operations adhere to 
statutory requirements and administrative rules. The division relies on a staff of six 
to conduct field inspections and monitor 17,600 active wells. Through visits to the oil 
and gas fields, inspectors examine things such as drilling and production equipment, 
safety-related gear, and surrounding areas for evidence of leaks or other environmental 
hazards. Inspectors typically work out in one of the state’s 395 oil-and gas-producing 
fields. Most field inspections are random although operators can schedule others. One 
such scheduled visit is a mechanical integrity test, which verifies whether an injection 


well is leaking. 


Field inspectors conducted over 4,430 inspections and identified 501 inspection 
deficiencies or violations in 2010. Figure 5 illustrates location of inspectors and oil and 


gas wells. 
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Figure 5 
Distribution of Oil and Gas Wells and Locations of Inspectors 


O Inspector Location © Well Location 


Source: Compiled by the Legislative Audit Division from board records. 





Defining Inspection Priorities 


Division management can influence an inspector's priorities by requesting an inspector 
visit a particular site. However, division management has not defined priorities for 
inspectors nor provided formal guidance. As a result, inspection priorities differ greatly 
between the various inspectors with little agreement as to what the priority or high 
risk areas for inspections are. In addition, inspector priorities may not align with the 
chief field inspector's stated priorities for the inspection program. Inspectors said they 
tend to focus their efforts on “problem operations” which is based on the inspector's 
previous experiences. When asked about their most important inspections, inspectors 
indicated different priorities. Table 1 indicates the priorities of four inspectors and 


illustrates how these top priorities differ. 


Table 1 
Analysis of Inspector Priorities 





Inspector A Inspector B Inspector C Inspector D 





Spills ID signs Plugging Surface casing 





Plugging Leaks or spills Surface casing Plugging 




















Surface casing Drilling pits Problem wells Production issues 





Source: Compiled by the Legislative Audit Division. 





As the prior table illustrates, inspector priorities vary greatly, and no inspectors gave 
priority to responding to public or industry complaints or notices. Some of these 
differences may be due to regional demographics such as age of the oil well field or the 
phase of well production. 


Risk-Based Approach Can Be Used 


Other states’ oil and gas regulatory agencies have taken steps to formalize inspection 
priorities and use a risk-based inspection approach for managing their inspection 
processes. For example, the regulatory commission in one state prioritizes complaints 
and notices it receives from the industry or the public regarding possible incidents 
of pollution and public endangerment to ensure the highest risk incidents receive 
the quickest response. Examples of first priority incidents include emergency events, 
blowouts, major spills, accidents, and injuries. In addition, a formal risk-based approach 


is used to identify wells for inspection that pose a greater risk based on factors such as: 
¢ Compliance history of operator and at the particular well site 
¢ Length of time since last inspected 
¢ Whether well is in an environmentally sensitive area 
¢ Age of facilities and equipment 


¢ Nature of activity 


In addition, a formal approach is used for scheduling periodic inspections of oil and 


gas wells to help ensure all wells are inspected on a regular basis. 


In Montana, the division’s Underground Injection Control (UIC) Program adopted 
a risk-based approach to prioritize and schedule inspections of underground injection 
wells. The program manager monitors which injection wells require periodic inspection 


and notifies staff when inspections are due. 
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Current Approach of Montana Program 


Our review of the Oil and Gas Information System (system) records found: 
¢ = The division has not inspected 58 percent of active wells in at least five years. 
¢ Four wells were inspected more than 20 times. 


¢ ‘Twenty percent of wells with an identified inspection deficiency or violation 
did not get a follow-up inspection. 


Without an organized approach, inspection inconsistencies may compromise 
inspection and enforcement efforts. If inspectors do not inspect wells, violations 
may go undetected. Because this competitive industry requires a level playing field, 


established priorities would help ensure consistency in inspections. 


Need to Establish Formal Risk-based Inspection Priorities 


The division needs to develop tools to help inspection staff plan activities. While 
inspector discretion and responsibility for prioritizing their own workload is important, 
an organized approach to inspections would improve inspection and enforcement 
efforts. Section 82-11-111, MCA, requires the board to investigate to determine 
whether waste exists or whether other factors exist that justify any action by the board. 
This section also requires measures be taken to prevent contamination of or damage to 
surrounding land or underground strata caused by drilling operations and production. 
To ensure the board meets its statutory mandate and devotes its limited resources on 
inspecting the wells that pose greater risk, the division should develop a process to 
prioritize inspections. While inspecting every well every year is not realistic, a formal 
approach to inspections will provide risk-based priorities for inspectors to attain 


maximum effectiveness while ensuring fairness. 


OS 


RECOMMENDATION #1 


We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, develop a formal risk-based inspection approach that 
establishes inspection priorities. 


CO © 


Formal Inspection Policies and 
Procedures Should Be Developed 


Inspectors typically work out of their homes with minimal supervision. They travel 
directly to inspection sites, often in remote locations. While this decreases the amount 


of time employees must use to travel to the locations they regulate, we found the division 


could improve its remote management and oversight of inspectors. Management does 
not provide inspectors with documented inspection policies or procedures relative to 
non-UIC wells or regularly meet with remote staff, hampering communication of 
informal policies and practices. Formalized policies or procedures could detail what 
inspectors should be examining as they inspect well sites, equipment, facilities and 


surrounding areas. 


Other Programs Have Formal Policies and Procedures 


Documented policies and procedures are an important element of guiding staff in 
performing job duties. State of Montana policy states agency managers should 
establish and maintain a coordinated set of policies and procedures to ensure efficient 
and effective operations. Oil and gas regulatory operations in other states have formal 
documented policies and procedures for their inspection processes. Examples of 


procedures include: 
¢ Assigning and conducting on-site inspections 
¢ Recording inspection activities 
¢ Responding to complaints and timelines for responding 
¢ Following up to identified field violations 


* = Quality control review 


The division's UIC Program has formal policies and procedures for UIC well 
inspections. The Environmental Protection Agency developed a detailed training 
manual relative to specifics about conducting inspections of underground injection 
wells including inspection procedures, plugging, mechanical integrity testing, other 
well tests, and enforcement procedures. The division adopted this manual as its formal 


policy for UIC well inspections. 


Formal Inspection Policies and 


Procedures Would Be Beneficial 


Without documented policies and procedures for the division’s inspection program 
for non-UIC wells, it is difficult for division management to ensure inspections are 
standardized and minimum requirements met. The lack of documented policies and 
procedures contributes to inconsistencies in the inspection process and ultimately limits 
the effectiveness of field inspections. Without formalized policies and procedures, the 
board also runs the risk of a lower level of transparency of its regulatory activities to the 


public and the industry. 


The division established formal policies and procedures for the UIC program and 


should do likewise for the inspection program for non-UIC wells. Documented 
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policies and procedures would guide staff in performing inspection processes, help to 
improve consistency of inspections, and provide a valuable tool to inspection staff who 


work remotely with little day-to-day supervision. 


ESS 


RRECOMMENDATION #2 
We recommend the division, under the supervision of the Board of Oil and 


Gas Conservation: 


A. Develop formal policies and procedures pertaining to the inspection 
program. 


B. Ensure these policies and procedures are applied consistently by staff. 
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Inspection Activity Could Be Better Documented 


During the audit, we examined the process used to document inspection activities 
including initial field inspections, follow-up inspections, noncompliance by well 


operators, and issue resolution. We found processes could be improved in these areas: 
¢ Documenting inspections 
¢ Documenting operator noncompliance 


¢ Tracking compliance status and issue resolution 


The following report sections discuss these areas in detail. 


Documenting Inspections 


Staff uses a paper inspection form to record inspection observations, details and results. 
The inspection form includes fields for well name and number, date of inspection, notes 
about the inspection, type of inspection, checkbox indicating whether or not a violation 
occurred, and notes about any identified failed items or violations. We reviewed 101 
inspection forms completed in 2010 to examine adequacy and consistency of inspection 
documentation. Our audit work found concerns with documenting inspections, 
including incomplete, inconsistent and inaccurate inspection forms. Examples include: 
¢ Ten percent (10 of 101) of sampled inspection forms were missing the 
inspection type. Inspection types identify the nature of an inspector's visit, 


such as routine, construction, emergency response, plugging witnessed, 
complaint, etc. 


¢ Six percent (6 of 101) of sampled inspection forms were recorded on an 
alternative inspection form. This alternative form does not contain the same 
data fields as the primary inspection form. 


Subsequent interviews revealed other issues with documenting inspections. Staff uses 
at least two other, alternate forms to record inspections. Staff refers to these forms as 
dailies and weeklies. In addition, managers do not require documentation of every 


inspection and not all inspections are entered into the division’s information system. 


Documenting Operator Noncompliance 


When staff identifies noncompliance with statute or administrative rule, they record 
details of the violation on the inspection form and provide a copy to the well operator. 
The division refers to infractions of administrative rules as either deficiencies or 
violations. The division requires certain information be recorded when documenting 
noncompliance. For example, administrative rule should be cited. The inspection form 
also contains fields to record details about the failed items or violation, date operator 
was notified about noncompliance, date remedy is required by, and if a photo was 


taken. 


During audit work, we reviewed a sample of 27 inspection forms where inspections 
performed in 2010 identified noncompliance issues. Our audit work found concerns 
with documenting operator noncompliance. For example, 


¢ Forty-eight percent of inspection forms did not cite the administrative rule 
the operator violated. 


¢ Forty-four percent of inspection forms did not note the date the operator was 
notified of noncompliance. 


¢ Eighty-one percent of inspection records did not contain a photo of the 
noncompliance. 


Our audit work revealed other concerns with documenting operator noncompliance. 
Staff did not record detailed notes regarding identified noncompliance or clearly 
indicate they notified the operator. We also found inspectors used an alternate form 
to document noncompliance for 15 percent (4 of 27) of the records reviewed. ‘This 
alternate form is problematic as it lacks most of the fields from the regular form. We 
also noted division staff do not use fail codes on noncompliance notices. A fail code is 


a data field meant to specifically identify the nature of the noncompliance. 


Tracking Compliance Status and Issue Resolution 


Audit work revealed it was difficult to track if or when an operator addressed 
noncompliance and whether division staff conducted follow-up inspections to ensure 
compliance. Records regarding compliance status are often incomplete and out dated. 
For example, records contained deficiencies or violations that occurred years ago and 
it was unclear whether these compliance issues were resolved. We also found the 


division currently uses many different tracking mechanisms to monitor and document 
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compliance status and resolution. As a result, compliance status is not documented in 


one place nor is recorded data consistent. 


Other Documentation Practices 


Oil and gas regulatory agencies in other states established procedures to ensure 
inspections are consistently and thoroughly documented. For example, one state 
has unique inspection forms for specific types of inspections such as responding to 
complaints, examining cement casings, and inspecting a plugging operation. These 
forms provide a basis for thoroughly and consistently documenting inspections. In 
addition, management takes steps to monitor and ensure staff properly document 


inspections and use forms correctly. 


Other states’ also established practices to ensure noncompliance issues are well 
documented and compliance status is tracked to ensure outstanding noncompliance 
issues are addressed and resolved. These states have detailed written guidance that 
addresses how to document noncompliance, determining severity of noncompliance, 
need for follow-up inspections, issuing subsequent notices, and enforcement referral 
procedures. For example, one state’s policy stipulates documentation must include exact 
location and identification of site where violation exists, description of the violation 
with appropriate citations (statute, rule or policy), brief description of the necessary 


corrective action, and a deadline by which corrective action must be completed. 


Inspection Activity Documentation and 


Tracking Should be Standardized 


The board needs to adopt the best practices of other states’ regulatory agencies and 
standardize how staff document inspections and noncompliance, and develop a 
unified means to track status of operator compliance. Such processes would improve 
consistency and thoroughness of documentation, and help ensure division staff is 
performing inspection activities as desired. As part of standardizing how inspection 
activity is documented, management should address the number of different forms 
staff currently uses to document activities, and designate the official record to be used 
to document inspections and noncompliance. The division needs to standardize what 
information staff must record during inspections and what data to record relative to 
operator noncompliance. The division already has the tools to better track operator 
noncompliance. ‘The division’s UIC Program routinely tracks compliance status and 
issue resolution through its use of the Oil and Gas Information System. The division 
should apply this tracking tool to the entire inspection program. 


Standardizing inspection activity documentation and establishing a unified process 
to track compliance status will strengthen the division's inspection process, ultimately 
creating a more-effective inspection program. 


ee 


RRECOMMENDATION #3 

We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, standardize how inspections and compliance activities are 
documented and tracked. 
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Chapter IV — Enforcement Processes 


Introduction 


Our primary audit objective was to determine if the Board of Oil and Gas Conservation 
has effective controls in place to enforce oil and gas conservation laws and administrative 
rules. While the prior chapter focused on inspection processes, this chapter focuses 
on board and division enforcement actions taken to resolve noncompliance identified 
during inspections. During the audit we reviewed enforcement related statutes, 
administrative rules and documented procedures. We analyzed a sample of enforcement 
related records and discussed enforcement activities with board members and division 
staff. We also compared the board’s enforcement processes with those used by other 


states similar regulatory bodies. 


The board has fostered a culture of working with the industry and seeking compliance 
through collaboration. It is a balancing act between promoting exploration and 
development of oil and gas resources along with ensuring the industry complies with 


statutes and administrative rules designed to: 
¢ Prevent waste and ensure efficient recovery of the resource 
¢ Prevent harm to the surface or underground resources 


¢ Protect rights of lease holders and mineral owners 


By using a collaborative approach, industry typically complies with requirements 
enacted by the Legislature and the board. However, we found the board could improve 
upon its enforcement approach by defining and clarifying some of the enforcement 
strategies it developed. This chapter discusses audit findings and recommendations 


related to the following areas: 
¢ Current enforcement activities 
¢ Application of existing compliance timelines 


¢ Additional compliance timelines needed 


Current Enforcement Activities 


When division inspectors identify noncompliance by an operator, they attempt to 
work out the problem directly with the operator. ‘This involves visits to the well site 
or phone calls to the operator. Inspectors said they usually give operators at least three 
chances to comply. If the noncompliance issue remains unresolved, inspectors transfer 
it to the chief field inspector. The chief field inspector follows up with more formal 
phone calls and letters to the operator, again seeking compliance. If noncompliance is 


not addressed, a violation notice is prepared and the board holds a show cause hearing. 
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We analyzed data within the Oil and Gas Information System to determine what 
proportions of noncompliance issues were resolved or unresolved. Figure 6 demonstrates 


the proportions of resolved and unresolved noncompliance issues. 


Figure 6 


Distribution of Resolved and Unresolved Compliance Issues 
Wells Cited in 2010 


» Unresolved 


= Resolved by division staff 


m Resolved by board 


Source: Compiled by the Legislative Audit Division from Oil and Gas Information System. 





As illustrated in Figure 6, division data shows 35 percent of noncompliance issues 
recorded on the division’s information system have not been resolved. According to 
division management, some of these unresolved issues may be due to record-keeping 
discrepancies, as not all enforcement data is recorded on the Oil and Gas Information 


System. 


Our review of enforcement related records and outcomes revealed current enforcement 
strategies are not always successful and field violations remained unresolved. Statute, 
administrative rule and division practices provide a framework for the enforcement 
process. The board has adopted some compliance timelines and a penalty policy to 
provide additional means of encouraging operator compliance. While a general 


enforcement framework is in place, enforcement processes could be strengthened. 


Application of Existing Compliance Timelines 


The board established some timelines in administrative rule with which oil and gas 
well operators must comply. Administrative rules provide compliance timelines in six 


instances. Operators must: 


1. Remove all hydrocarbons from earthen pits within 10 days after drilling. 


2. Pits with a high proportion of dissolved solids must be fenced within 90 
days. 


3. Provide immediate notice of a spill of more than 50 barrels of oil or water. 
Operators must file a written report within five days. 


4. Remove oil, water, and contaminants from certain pits within 48 hours. 
Perform mechanical integrity tests on injection wells every five years. 


6. Clean up spills “promptly.” 


Audit work revealed the division is not consistently applying these mandated timelines. 
We found one timeline in particular interpreted differently; the timeline relative 
to cleaning up spills “promptly.” We reviewed eight spill violations and found the 


following timelines cited on the notices of violation: 
¢ “Immediate” (4 violation notices) 
¢ “When the battery dries up” (1 violation notice) 
¢ 5 weeks (1 violation notice) 


¢ 2 months (1 violation notice) 


a 


No deadline (1 violation notice) 


Operators may view these disparities in application of timelines as inequitable or unfair. 
Requiring operators to correct similar violations within similar timeframes would give 


greater assurance that the board and division treat all operators equitably. 


Additional Compliance Timelines and Guidance Needed 


As discussed in the previous section, administrative rules contain few specific 
compliance timelines for operators to adhere to. Although operators are required to 
follow and comply with nearly 100 administrative rules, many of which relate to 
high risk areas involving safety or environmental protection, only five compliance 
timelines currently exist. In addition, there are no documented policies or guidance 
that addresses the amount of time division staff should allow operators to correct 
noncompliance issues. There is no formal guidance on whether division staff should 
conduct follow-up inspections to confirm compliance or timeframes for conducting 


follow-up inspections. 


Other States use Comprehensive Enforcement Approach 


Other states use a more defined approach to encourage operator compliance, including 
more formal timelines that operators must follow and formal guidelines for staff to 
follow when addressing enforcement issues. For example, one state established detailed 


policies to serve as a framework for addressing noncompliance issues and to guide 
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inspection staff when issuing violation notices and seeking operator compliance. 
These policies incorporate specific timeframes on how long to give operators to 
correct violations. Inspectors must cite these timelines on violation notices provided 
to operators. Policy also establishes timelines for inspectors to conduct follow-up 
inspections to confirm compliance. All timelines are based on the severity of the 


violation, with major violations having shorter timelines. 


Improving Enforcement Strategy 


The board should take steps to build upon and strengthen its current enforcement 
strategy. It needs to ensure staff consistently applies operator compliance timelines 
developed by the board and stipulated in administrative rules. The board should 
expand the use of compliance timelines adopted through administrative rule in order 
to maximize their efforts and more closely align with the practices of other states. In 
addition, the board needs to establish formal policy that provides corrective action 
guidelines and specifies the amount of time staff should allow operators to come into 
compliance. Policy should also define when staff should complete follow-up inspections 
and ensure staff consistently follows this policy. The board may want to consider the 
severity of violations when developing the policy. Taking these steps will strengthen the 
enforcement strategy, improve consistency of enforcement actions, and help decrease 


the backlog of unresolved noncompliance issues. 
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RECOMMENDATION #4 


We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, strengthen enforcement activities by: 


A. | Ensuring compliance with existing administrative rule timelines. 
B. Identifying if additional corrective action timelines are needed. 


C. Establishing formal guidelines for corrective action activities. 
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Chapter V - Data Management 


Introduction 


The Board of Oil and Gas Conservation is a major repository of technical and 
administrative information about oil and natural gas producers conducting exploration 
and development activities in the state. A number of agencies and parties rely on this 
information, including the board and its staff, Department of Revenue, and industry 
representatives. Information exists in electronic and hard copy formats. This chapter 
addresses the following objective: 


¢ Determine if controls are designed to promote integrity of data maintained 
on the Oil and Gas Information System. 


Audit work revealed the board generally has controls in place for managing electronic 
data. However, the board could strengthen its data processes. This chapter presents 


audit findings and recommendations relating to data management. 


Oil and Gas Information System Controls 


The Oil and Gas Conservation Division maintains much of its key program information 
in the Oil and Gas Information System (system), a database used to store general well 
data, production information, and division activities such as permits, inspections, 
and complaints. Both internal and external users access the system. Internally, the 
data supports division business processes including tracking general well data (such 
as ownership, bonding, location, construction, production, and restoration), issuing 
permits to drill, tracking underground injection wells, reporting field inspections 
and violations, and adjudicating complaints. Access to internal data is through 
an application residing on division servers. Externally, operators use the system to 
establish exploration locations, examine production quantities of existing wells, and 
identify ownership interests of individual oil or natural gas wells. Furthermore, the 
Department of Revenue uses production and well information from the system for 
tax auditing purposes. External access is through a website that stores automatically 


replicated data from the main data system. 


Strengthening System Management Controls 


Data integrity allows a user confidence that relied on data is correct and controls generally 
prevent unauthorized or accidental changes. Through interviews, observations, and 
queries of the system, we evaluated controls over the system including user access, data 
entry, change management, and event logging. In general, audit work revealed system 
controls could be strengthened. Audit work identified three areas where overall system 


and data integrity risk is elevated and can be lowered by strengthening controls: 
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¢ Segregation of duties 
¢ Security planning 


¢ Disaster recovery planning 


The remainder of this chapter discusses these areas. 


Segregation of Duties 


Agency management is generally responsible for information technology (IT) system 
data integrity controls. For the oil and gas system, that responsibility resides with one 


person, the system manager. Specifically, the system manager: 
¢ Develops, tests, and implements modules and changes. 
¢ Troubleshoots and corrects any operational issues. 
¢ Sets up and manages security controls. 


¢ Completes system structural changes such as changes to the system tables 
and reports. 


¢ Changes data which cannot be changed through the system application. 


No other division staff currently has the knowledge needed to perform these system 
management responsibilities. As a result, there is no segregation of system management 
duties and one individual performs incompatible duties, such as setting up and 
reviewing user access. Adding to these concerns is the fact very little is documented 


about system controls, operations, and maintenance; all of these elevate system risk. 


State IT Policy requires a segregation of duties between individuals to prevent 
unauthorized activity. It is an important tool for preventing unauthorized activity in 
an information system. It is a process for assigning various system responsibilities to 
a number of separate users. Such segregation allows system management activity to 
occur with verification of each step’s completion by different personnel and lowers the 
risk a single user will make undetected changes to the system. Without a segregation 
of duties, the system manager could potentially make system data or programming 
changes without authorization. 


The Oil and Gas Information System is important to both internal and external users. 
The division should take steps to reduce the current level of system risk by establishing a 
process that ensures segregation of duties over management of this system. A common 
step taken to strengthen controls is to assign monitoring duties to another staff person. 
Monitoring another user’s system activity is considered a preventative segregation of 
duties. For example, the division administrator or other personnel could approve and 
regularly review user account access or approve and review data changes. ‘This would 
allow segregation through involvement of personnel other than the system manager. 
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RECOMMENDATION #5 


We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, comply with state information technology policy to ensure 
a segregation of duties over management of the Oil and Gas Information 
System. 
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Security Planning 


An IT security plan provides an overview of a system's security requirements and 
describes the controls in place or planned for meeting those requirements. Security 
plans typically address items such as user access, password protection, and tracking 
system activity. The system security plan also delineates responsibilities and allowable 
actions of all individuals who access the system. State law (§2-15-114 (1), MCA) 
requires agencies to develop and maintain written internal policies and procedures 
to ensure security of data. An agency security plan should contain or refer to these 
security policies and procedures. Without this guidance, controls may not be applied 
or applied incorrectly, increasing the risk data integrity may be affected. 


Division staff, Department of Revenue, and oil and gas industry companies consider 
data integrity as vital. As a result, security controls must be in place to maintain data 
integrity. Since the security plan documents both the security needs of a system and 
the controls in place to meet those needs, it is a guiding document to putting security 
controls in place. We determined the division does not have any documented security 
plan in place for the system. 


The division’s lack of a security plan increases the risk system controls do not work 
as designed. For example, although the division requires use of passwords to access 
the system, they do not apply the state’s IT password policy in the system. A typical 
security control is a difficult to guess password. To make a password more difficult, it 
should consist of a nonsensical combination of lower and upper case letters, numbers, 


and symbols. 


Easy to guess passwords provide a weakness potentially allowing an unauthorized 
individual access to the division’s network. This access could allow the individual 
to place unauthorized or illegally obtained data and software on the network, make 
unauthorized changes to system data, or use the access to connect to, or bypass, other 
state network defenses such as firewalls. There are 12 user accounts with access to the 
system and five have the ability to add, change, or delete data in the system. Based 
on what these five accounts can do, they are most at risk; therefore, strong password 
protection is even more important. 
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If an Oil and Gas Information System security plan existed as guidance to the access 
process, the division would have identified the need to meet the state’s IT password 


policy. System management indicated a security plan has not been a priority. 


es 


RECOMMENDATION #6 


We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, comply with statute and state information technology 


policy by: 


A. Developing, documenting, and maintaining an Oil and Gas Information 
System security plan. 


B. Enforcing, through automated methods, the state information technology 
password policy for the Oil and Gas Information System. 
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Disaster Recovery Planning 


Business continuity is a series of processes implemented to ensure continued availability 
of services and resources. An important element of business continuity is disaster 
recovery planning. Disaster recovery planning is a set of steps, Communications, 
and responsibilities to execute if an interruption of services occurs. An effective 
plan is documented and designed to quickly and completely reestablish a system or 
service following a service interruption or disaster resulting in minimum loss to the 
organization. One key to recovery planning is backups; the division maintains and 


tests several backups, including copies kept at an offsite location. 


State IT policy requires agencies to follow a security framework issued by the National 
Institute of Standards and Technology. Institute standards require development, 
documentation, maintenance, and enforcement of a contingency (disaster recovery) 
plan. Although the division has several backups, there is no documented recovery plan 
as management stated there is not enough risk to require development of a plan. Only 
the system manager knows how to restore the system in the event of a disaster. If 
the system manager was not available to restore the system, the responsibility would 
fall on other division managers, who do not have the level of knowledge required to 
restore the system. When questioned about the lack of formal disaster recovery plans, 
management stated they could refer to one of three sources to assist in restoring the 


system: 
¢ One of the division’s IT vendors 
¢ Department of Natural Resources and Conservation’s IT Bureau 


¢ Another state with a similar system 


However, using any of these methods is problematic because there is no documented 
disaster recovery plan. Even if the source was familiar with this system or disaster 
recovery in general, without a documented recovery plan, system recovery may leave the 
system inoperative for two to three weeks, especially if restoration required equipment 
replacement. Although this would not prevent division staff from performing their 
required duties, it would make job performance more difficult, less timely, and more 
costly as the division would have to rely on hard copy records. Furthermore, users 
outside the division have stated loss of the system would be critical if not available for 
more than four or five days. For example, the Department of Revenue cross matches 
Oil and Gas Information System production data against oil and gas company tax 
data. The cross match is a required Department of Revenue function and is a time 


sensitive process. 


In general, an IT system disaster recovery plan should be created while considering the 
agency’ mission and how the system affects the agency's ability to fulfill its mission. 
‘There are many other considerations including: 

¢ Recovery locations 

¢ Resources needed (human, financial, and IT resources) 

¢ — Roles and responsibilities 

¢ Vendor agreements 


¢ How the plan will be tested 


Once planning is complete, the disaster recovery plan is developed and documented 
based on this information. On a regular basis, recovery is then tested and results 
recorded to allow evaluation of lessons learned. ‘The plan should be updated, if needed, 
based on the testing results. The last step would be to evaluate any system changes 
and adjust the disaster recovery plan if needed. Plan maintenance must occur to keep 
the disaster recovery plan up to date. Since no recovery plan exists for the system, the 


division should consider this process while developing their disaster recovery plan. 
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RECOMMENDATION #7 


We recommend the division, under the supervision of the Board of Oil 

and Gas Conservation, comply with state information technology policy by 
developing, documenting, testing, and maintaining an Oil and Gas Information 
System disaster recovery plan. 
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July 26, 2011 RECEIVED 


Tori Hunthausen, CPA JUL 26 72011 
Legislative Auditor 
P.O. Box 201705 LEGISLATIVE AUDIT DIV. 


Helena, Montana 59620-1705 
Dear Ms. Hunthausen: 


Thank you for the opportunity to review and comment on the performance audit of the Board of Oil and 
Gas Conservation's regulatory program. This audit represents many hours of effort on the part of both 
your staff, members of the Board of Oil and Gas Conservation and the Board’s administrative staff. We 
appreciate the Legislative Audit Staff commitment to this project, including the field office visits and 
participating in field work with our inspectors during a portion of the one of the harshest winters in recent 
memory. 


The audit report concentrates on the Board’s Inspection and Enforcement Program and its Electronic 
Data Management Program; both important elements of the overall oil and gas conservation and 
regulatory process in Montana. 


As the audit report correctly notes, a number of recommendations for improvement of the regulatory 
inspection program are already implemented and functioning in the Board’s UIC program. The division 
staff began to transition from the entirely paper —based inspection documentation system to one 
incorporating the electronic data management system designed for the UIC program. As part of that 
transition the staff planned to implement virtually all of the aspects used in the UIC program inspection 
system including more formalized inspection documentation and a more standardized method of 
preparing data input/tracking information. The division agrees that the risk-based processes established 
in UIC can be applied to other regulatory activities and measurably improve the program. 


RECOMMENDATION #1 

We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, develop a formal risk-based inspection approach that 
establishes inspection priorities. 


RECOMMENDATION #2 

We recommend the division, under the supervision of the Board of Oil and 

Gas Conservation: 

A. Develop formal policies and procedures pertaining to the inspection program. 
B. Ensure these policies and procedures are applied consistently by staff. 


RECOMMENDATION #3 
We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation; standardize how inspections and compliance activities are documented and tracked. 


We concur with recommendations 1 through 3. Although we feel that these three recommendations are 
basically the same recommendation, we believe the division and the Board can implement the 
recommendations in same manner: by expanding the UIC program's inspection policies and procedures, 
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including setting of inspection priorities, establishing standardized policies and standardizing the 
associated documentation. The current well inspection program has been successful in achieving 
compliance with the rules and regulations. It has been responsive to landowner complaints, spills, leaks 
and other emergencies, and it has provided the Board with reliable on-the-ground information and 
observations. However, improving the documentation and consistency of inspection results is desirable. 


The inspection manual currently used in UIC will need to be reviewed and edited to reflect the broader 
scope of wells to be inspected. The UIC manual does not include oil and gas production facilities and 
some aspects of drilling including blow-out prevention and similar mechanical/safety requirements 
ordinarily inspected during drilling and those sections and other new sections will need to be written. The 
prioritization will also need editing to reflect more classes of wells than the injection well subset currently 
addressed. The use of standardized inspection forms is well on its way toward implementation; the 
outstanding non-standard reports and inspection priorities will be reviewed to determine if separate forms 
are truly needed as some other states use. It should be noted that the supervision by the Board will be 
policy direction and guidance to reflect the nature of the Board’s meeting schedule and the available time 
of the minimally compensated volunteer Board. 


RECOMMENDATION #4 

We recommend the division, under the supervision of the Board of Oil and 
Gas Conservation, strengthen enforcement activities by: 

A. Ensuring compliance with existing administrative rule timelines. 

B. Identifying if additional corrective action timelines are needed. 

C. Establishing formal guidelines for corrective action activities. 


We concur with recommendation #4. Enforcement policies will be reviewed with the inspection policy to 
incorporate existing timelines into the enforcement policy. Board and staff will review existing rules to 
determine if additional time lines are needed. Rulemaking to add formal timelines to the administrative 
rules may require a substantial commitment of both Board and staff time; developing timeline guidance or 
corrective action timelines can be done more quickly. 


The remaining three recommendations relate to the Oil and Gas Data management System. The Board 
uses the Risk Based Data Management System (RBDMS) along with at least 22 other oil and gas 
producing states. This system began when the Board applied for UIC primacy as a means to manage 
UIC data and inspection/enforcement activities. The system has been developed using U.S. Department 
of Energy grants administered by the Ground Water Protection Council (GWPC). Montana was one of 
the four original states that volunteered to test and implement RBDMS. RBDMS was expanded to include 
all of the state data management needs in addition to the UIC program. RBDMS is a modular 
development system where states propose modifications or improvements and after testing other states 
may implement the changes without any direct development costs. The division administrator is one of 
the three members of the RBDMS steering committee; the Board’s Petroleum Geologist is a member of 
the RBDMS technical committee. 


The ongoing goal of RBDMS is to provide that states with an oil and gas data management system that 
uses standard database software (Microsoft SQL Server) and off-the-shelf- data tools (Microsoft Access 
or Microsoft .NET) in an environment that can be managed by existing technical staff -geologists or 
engineers — without extensive need for IT staff. GWPC provides RBDMS training and technical 
assistance from GWPC contracted IT professionals. The RBDMS model has been successful in 
Montana; the division operates a multimillion dollar database into which it has invested mostly in-kind staff 
time and less than $100,000 over a ten year period for customization, server configuration and the 
production data reporting module that is unique to Montana. The Board and division plans to maintain 
the RBDMS model: it also intends to implement the recommendations of the audit report, but wishes to 
express concern about a commitment of personnel and resources that it may not be able to anticipate at 
this time. 
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RECOMMENDATION #5 

We recommend the division, under the supervision of the Board of Oil and 

Gas Conservation; comply with state information technology policy to ensure 

a segregation of duties over management of the Oil and Gas Information System. 


We concur with this recommendation; the division administrator has begun approving access and data 
changes. 


RECOMMENDATION #6 

We recommend the division, under the supervision of the Board of Oil and 

Gas Conservation; comply with statute and state information technology by: 

A. Developing, documenting, and maintaining an Oil and Gas Information System security plan. 

B. Enforcing, through automated methods, the state information technology password policy for the Oil 
and Gas Information System. 


We concur with this recommendation and believe it can be implemented as described in the audit report 
without excessive commitment of resources or staff time. The division staff will investigate the security 
plans used by DNRC and by other RBDMS states. 


RECOMMENDATION #7 

We recommend the division, under the supervision of the Board of Oil and Gas Conservation, comply 
with state information technology policy by developing, documenting, testing, and maintaining an Oil and 
Gas Information System disaster recovery plan. 


The Division and the Board generally concur with this recommendation; however, the Board is 
administratively attached to the Department which has the same obligation to develop an Information 
system disaster recovery plan. The Board does not want to commit to doing a disaster plan on its own, 
but will work with the department as this process moves forward. 


Sincerely, 


ST ey 


Linda Nelson, Chair Thomas P. Richmond, Administrator 
Board of Oil and Gas Conservation Oil and Gas Division 
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August 3, 2011 


RECEIVED 


Tori Hunthausen, CPA 
Legislative Auditor AUG 04 2011 
oe ern LEGISLATIVE AUDIT DIV. 


Helena, Montana 59620-1705 
Dear Ms. Hunthausen: 


Thank you for the opportunity to review and comment on the performance audit of the Board of Oil and 
Gas Conservation’s regulatory program. Although the Board of Oil and Gas is administratively attached 
to DNRC and the Board has responded under separate cover to the audit, we would like to add a specific 
response to recommendation number six. !T management is an issue of importance across state 
government. We will work with BOG to become part of the ITSD state domain. 


RECOMMENDATION #6 

We recommend the division, under the supervision of the Board of Oil and 

Gas Conservation; comply with statute and state information technology by: 

A. Developing, documenting, and maintaining an Oil and Gas Information System security plan. 


B. Enforcing, through automated methods, the state information technology password policy for 
the Oil and Gas Information System. 


We concur with this recommendation. DNRC’s Office of Information Technology remains 
available to work with the BOGC to upgrade and implement the IT system security 
recommendations. We believe these issues can most effectively be addressed over the long term 
if the BOGC would become part of the ITSD state domain. 


Again, thank you for this opportunity to respond to the performance audit of the Board of Oil and Gas. 


Sincerely, 


Mary Sexton 
DNRC Director 


